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Abstract. Given two elliptic curves over a finite field having the same cardinality and en- 
domorphism ring, it is known that the curves admit an isogeny between them, but finding 
such an isogeny is believed to be computationally difficult. The fastest known classical al- 
gorithm takes exponential time, and prior to our work no faster quantum algorithm was 
known. Recently, public-key cryptosystems based on the presumed hardness of this problem 
have been proposed as candidates for post-quantum cryptography. In this paper, we give a 
subexponential-time quantum algorithm for constructing isogenies, assuming the Generalized 
Riemann Hypothesis (but with no other assumptions). Our algorithm is based on a reduction 
to a hidden shift problem, together with a new subexponential-time algorithm for evaluating 
isogenies from kernel ideals (under only GRH), and represents the first nontrivial application 
of Kuperberg's quantum algorithm for the hidden shift problem. This result suggests that 
isogeny-based cryptosystems may be uncompetitive with more mainstream quantum-resistant 
cryptosystems such as lattice-based cryptosystems. 

1 Introduction 

We consider the problem of constructing an isogeny between two given isogenous ordinary elliptic 
curves defined over a finite field Fg and having the same endomorphism ring. (Two such curves are 
called horizontally isogenous.) This problem has led to several applications in elliptic curve cryp- 
tography, both constructive and destructive. The fastest known probabilistic algorithm for solving 
this problem is the algorithm of Galbraith and Stolbunov [18], based on the work of Galbraith, 
Hess, and Smart [17]. Their algorithm is exponential, with a worst-case (and average-case) running 
time roughly proportional to 

Although quantum attacks are known against several cryptographic protocols of an algebraic 
nature [12,19,34], until now there has been no nontrivial quantum algorithm for constructing 
isogenies. The difficulty of this problem has led to various constructions of public-key cryptosystems 
based on finding isogenies, beginning with a proposal of Couveignes [10]. More recently, Rostovtsev 
and Stolbunov [29] and Stolbunov [36] proposed refined versions of these cryptosystems with the 
specific aim of obtaining cryptographic protocols that resist attacks by quantum computers. 

In this work, we give a subexponential-time quantum algorithm for constructing an isogeny 
between two given horizontally isogenous elliptic curves, and show that the running time of our 
algorithm is bounded above by Lq{^, ^) under (only) the Generalized Riemann Hypothesis (GRH). 
This result raises serious questions about the viability of isogeny-based cryptosystems in the context 
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of quantum computers. At present, isogeny-based cryptosystems are not especially attractive since 

their performance is poor compared to other quantiim-rcsistant cryptosystems, such as lattice- 
based cryptography [20]. Nevertheless, they represent a distinct family of cryptosystems worthy 
of analysis (for reasons of diversity if nothing else, given the small number of quantum-resistant 
public-key cryptosystcm families available [27]). Since isogcny-bascd cryptosystems already perform 
poorly at moderate security levels [36, Table 1], any improved attacks such as ours would seem to 
disqualify such systems from consideration in a post-quantum world. 

1.1 Contributions 

Our first main contribution, described in Section 5, is a reduction from the problem of isogeny 
construction to the abelian hidden shift problem. While a connection between isogenics and hidden 
shifts was noted previously by Stolbunov [36] , we observe that the reduction gives an injective hidden 
shift problem. This allows us to apply an algorithm of Kuperberg [25] to solve the hidden shift 
problem using a subexponential number of queries to certain functions. This reduction constitutes 
the first nontrivial application of Kupcrbcrg's algorithm outside of the black-box setting. 

The reduction to the hidden shift problem alone does not immediately give a subexponential- 
time algorithm for computing isogenics, because one must consider the time required to compute the 
hiding functions. Indeed, prior to our work there was no known subexponential-time algorithm to 
evaluate these functions. Our second main contribution, described in Section 4, is a subexponential- 
time (classical) algorithm to compute the isogeny star operator, which is defined as a certain action 
of an ideal class group on a set of elliptic curves. In this way we can compute the hiding functions in 
subexponential time and thus obtain a subexponential-time reduction to the hidden shift problem. 
Unlike previous algorithms for isogeny computation [16, 17,23], our runtime analysis assumes only 
GRH, whereas all previous subexponential-time algorithms for isogeny problems have required 
additional heuristic assumptions. We achieve this improvement using expansion properties of a 
certain Cayley graph [22]. The same idea can also be used to obtain subexponential algorithms 
(under only GRH) for evaluating isogenics (see Remark 4.9). In addition, Bisson [4] has shown 
that our method yields a subexponential algorithm for computing endomorphism rings of ordinary 
elliptic curves under GRH. 

Kupcrbcrg's algorithm for the abelian hidden shift problem uses supcrpolynomial space (i.e., a 
quantum computer with superpolynomially many qubits) , so the same is true of the most straight- 
forward version of our algorithm. Since it is difficult to build quantum computers with many qubits, 
this feature could limit the applicability of our result. However, we also obtain an algorithm using 
polynomial space by taking advantage of an alternative approach to the abelian hidden shift prob- 
lem due to Regev [28]. Regev only explicitly considered the case of the hidden shift problem in a 
cyclic groiip whose order is a power of 2, and even in that case did not compute the constant in 
the exponent of the running time. We fill both of these gaps in our work, showing that the hidden 
shift problem in any finite abelian group A can be solved in time L|^|(^, by a quantum com- 
puter using only polynomial space. Consequently, we give a polynomial-space quantum algorithm 
for isogeny construction using time Lq{^,^ + ^/2). The group relevant to isogeny construction is 
not always cyclic, so the extension to general abelian groups is necessary for our application. 

1.2 Related work 

Our algorithm for evaluating the isogeny star operator is based on reducing an ideal modulo prin- 
cipal ideals to obtain a smooth ideal. This idea is originally due to Galbraith, Hess, and Smart [17]. 
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Broker, Charles, and Lauter [7] and Jao and Soukharev [23] also use this idea to give algorithms 
for evaluating isogenics. Bisson and Sutherland [5] use a similar smoothing technique to compute 
endomorphism rings in subexponential time. We stress that, with the exception of [7], which is re- 
stricted in scope to small discriminants, all the results mentioned above make heuristic assumptions 
of varying severity [5, §4] [17, p. 37] [23, p. 224] in addition to the Generalized Ricmann Hypothesis 
in the course of proving their respective runtime claims. Our work is the first to achieve provably 
subexponential running time with no heuristic assumptions other than GRH. In practice, the heuris- 
tic algorithms in [5] and [23] run slightly faster than our algorithms in Section 4, because they make 
use of an optimized exponent distribution (originating from [5] ) that minimizes the number of large 
degree isogenies appearing in the smooth factorization. Our work does not use this optimization, 
because doing so would reintroduce the need for additional heuristic assumptions. 

An alternative approach to computing isogenies, given in Couveignes [10, p. 11] and Stol- 
bunov [36, p. 227], is to treat the class group as a Z-module and use lattice basis reduction to 
compute the isogcny star operator. In practice, the lattice-based approach works well for moder- 
ate parameter sizes. However, since it amounts to solving the closest vector problem, the method 
asymptotically requires exponential time (even with known quantum algorithms), and thus is slower 
than our approach. 

2 Isogenies 

For general background on elliptic curves, we refer the reader to Silverman [35]. 

Let E and E' be elliptic curves defined over a field F. An isogeny (j): E ^ E' is &n algebraic 
morphism satisfying (f){Qio) = oo. The degree of an isogeny is its degree as an algebraic map. The 
endomorphism ring End(i?) is the set of isogenies from E{F) to itself. This set forms a ring under 
pointwise addition and composition. 

When F is a finite field, the rank of End(£') as a Z-module is either 2 or 4. We say E is 
supersingular if the rank is 4, and ordinary otherwise. A supersingular curve cannot be isogcnoiis to 
an ordinary curve. Most elliptic curves are ordinary (in particular, supersingular curves have density 
zero [32]), and most current proposals for isogeny-based cryptography (including all published 
isogeny-based public-key cryptosystems) use ordinary curves. Thus, in this paper we restrict our 
attention to ordinary elliptic curves. It remains an interesting open problem to study cryptographic 
applications of isogenies between supersingular curves and to better understand the computational 
difficulty of computing such isogenies, but we do not address this issue. 

Over a finite field ¥q, two elliptic curves E and E' are isogenous if and only if ^E{¥q) = 
#E'{¥q) [37]. The endomorphism ring of an ordinary elliptic curve over a finite field is an imaginary 
quadratic order Oa of discriminant A < 0. The set of all isomorphism classes (over ¥q) of isogenous 
curves with endomorphism ring Oa is denoted Ellq^„(C'^), where n is the cardinality of any such 
curve. We represent elements of Ellg^„(C)/i) by taking the j-invariant of any representative curve in 
the isomorphism class. 

An isogeny between two curves having the same endomorphism ring is called a horizontal 
isogeny [15]. Likewise, we say that two isogenous curves are horizontally isogenous if their endomor- 
phism rings are equal. Any separable horizontal isogeny (j): E ^ E' between curves in Ellg^„(C'/i) 
can be specified, up to isomorphism, by giving E and kerc/i [35, HI. 4. 12]. The kernel of an isogeny, 
in turn, can be represented as an ideal in Oa [39, Thm. 4.5]. Denote hy (j)],: E ^ E\, the isogeny 
corresponding to an ideal b (keeping in mind that (p^ is only defined up to isomorphism of E^). 
Principal ideals correspond to isomorphisms, so any other ideal equivalent to b in the ideal class 
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group Cl(O^) of Oa induces the same isogeny, up to isomorphism [39, Thm. 3.11]. Hence one 
obtains a well-defined group action 

*: CI{Oa) X Ell,,„(04) ^ E\^r^{OA) 

where [b] denotes the ideal class of b. This group action, which we call the isogeny star operator, is 
free and transitive [39, Thm. 4.5], and thus Ellg„(0/i) forms a principal homogeneous space over 



Isogeny graphs under GRH 

Our runtime analysis in Section 4 relies on the following result of [22] which states, roughly, that ran- 
dom short products of small primes in C\{Oa) yield nearly uniformly random elements of CI{Oa), 
under GRH. 

Theorem 2.1. Let Oa be an imaginary quadratic order of discriminant Z\ < and conductor c. 
Set G — G\{Oa)- Let B and x he real numbers satisfying B > 2 and x > (Injzij)^. Let Sx be the 
multiset A U where 

A — {[p\<^G: gcd(c, p) = 1 and N{p) < x is prime] 

with N{p) denoting the norm of p. Then, assuming GRH, there exists a positive absolute constant 
C > 1, depending only on B, such that for all A, a random walk of length 



lnln|Z\| 

in the Cayley graph Cay {G,Sx) from any starting vertex lands in any fixed subset S C G with 
probability at least 2jU\- 

Proof. Apply Corollary 1.3 of [22] with the parameters 

— K = the field of fractions of Oa 

- G= C\{Oa) 
-q=\A\. 

Following [11], we refer to G = GI{Oa) as the ring class group of A. Observe that by Remark 1.2(a) 
of [22], Corollary 1.3 of [22] applies to the ring class group G, since ring class groups are quotients of 
narrow ray class groups [11, p. 160]. By Corollary 1.3 of [22], Theorem 2.1 holds for all sufficiently 
large values of |Z\|, i.e., for all but finitely many To prove the theorem for all \A\, simply take 
a larger (but still finite) value of G. 

Corollary 2.2 Theorem 2.1 still holds with the set A redefined as 

^ = {[p] S ^ • gcd(mZi,p) = 1 and N{p) < x is prime} 
where m is any integer having at most 0{x^/'^~^ log |Zi|) prime divisors. 

Proof. The alternative definition of the set A differs from the original definition by no more than 
0{x^^'^~^ log |Zi|) primes. As stated in [22, p. 1497], the contribution of these primes can be absorbed 
into the error term 0{x^/'^ log(a;) log(a;g)), and hence does not affect the conclusion of the theorem. 
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3 The group action inverse problem 

For a fixed discriminant A, the vectorization [10, §2] or group action inverse [36, §2.4] problem is 
the problem of finding an ideal class [b] G CI{Oa) such that [b] * j{E) = j{E'), given j{E) and 
j{E'). We refer to [b] as the quotient oi j{E) and j{E'). The computational infeasibility of finding 
quotients in Ellg,„(C/i) is a necessary condition for the security of isogeny-based cryptosystems [10, 
§3] [36, §7]. In the remainder of this paper, we present our subexponential algorithm for evaluating 
quotients in Ellq^niOA) on a quantum computer. 

A notable property of isogeny-based cryptosystems is that they do not require the ability to 
evaluate the isogeny star operator efficiently on arbitrary inputs. It is enough to sample from random 
smooth ideals (for which * can be evaluated efficiently) when performing operations such as key 
generation [10, §5.4] [36, §6.2]. However, to attack these cryptosystems using our approach, we do 
require the ability to evaluate the isogeny star operator on arbitrary inputs. We turn to this problem 
in the next section. 

4 Computing the isogeny stai operator 

In this section, we describe a new classical (i.e., non-quantum) algorithm to evaluate the isogeny 

star operator. All notation is as in Section 2. Given an ideal class [b] in CI{Oa), and a j-invariant 
E of an ordinary elliptic curve of endomorphism ring Oa over ¥g, we wish to evaluate [b] * j{E). 
We define 

Ljv(|, c) := exp[(c -|- o(l))\/ln7Vlnln7V]. 

For convenience, we denote i^max{|zi|,q}(5) c) by L{c). 

In Section 4.1 we show that, under GRH, our algorithm has a running time of Lq{j, "^)j which is 
subexponential in the input size. For clarity, we present our algorithms and analysis in full instead of 
as "patches" to existing work. We emphasize that the basic structure of these algorithms appeared 
in prior work; our main contribution is to the analysis, which is facilitated by small changes to 
the algorithms. Specifically, Algorithm 1 is based on [23, Algorithm 3], which is in turn based on 
Seysen's algorithm [33]; Algorithm 2 is based on [7, Algorithm 4.1]. Our bounds on t in Algorithm 1 
are new, and allow us to prove the crucial runtime bound (Proposition 4.3). 

Computing a relation. Given an ideal class [b] G C\{0/\), Algorithm 1 produces a relation vector 
z = {zi,. . . ,Zf) e for [b], with respect to a factor base T = {pi,...,pj}, satisfying [b] = T'^ := 
pr ' ' 'P/^' '^ith the additional property (cf. Proposition 4.5) that the L-'^-norm jzji of z is less than 
0(ln |Z\|) for some absolute implied constant (here the norm of a vector denotes the sum of the 
absolute values of its coordinates). Algorithm 1 is similar to Algorithm 11.2 in [8], except that we 
impose a constraint on jvji in Step 5 in order to keep jzji small, and (for performance reasons) 
we use Bernstein's algorithm instead of trial division to find smooth elements. We remark that 
Corollary 9.3.12 of [8] together with the restriction C > 1 in Theorem 2.1 implies that there exists 
a value of t satisfying the inequality in Algorithm 1. 

Computing j{E'). Algorithm 2 is the main algorithm for evaluating the isogeny star operator. 
It takes as input a discriminant Z\ < 0, an ideal class [b] E C\{Oa), and a j'-invariant j(E) G 
Ellq^ni^A), and produces the element j{E') e Ellq_„(e'/i) such that [b] *j{E) = j{E'). Eliminating 
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Algorithm 1 Computing a relation 

Input: A, q, n, z, [b], and an integer t satisfying <t< C\ii\A\ where C is the constant of 

Theorem 2.1/Corollary 2.2 
Output: A relation vector z, such that [b] = [J^^], or nil 

1: Compute a factor base consisting of split primes; discard any primes dividing qn to obtain a new factor 

base {pi,p2,...,p/} 
2: Sets <-<D,V^ {N{p) : p € T} 
3: Set e ^ L(i) 
4: for i = to ^ do 

5: Select v € uniformly at random subject to the condition that |v|i = t 

6: Calculate the reduced ideal Ov in the ideal class [b] ■ [J^] 
7: Set 5 <(- 5 U iV(av) 
8: end for 

9: Using Bernstein's algorithm [3], find a "P-smooth element A'(av) G 5 (if one exists), or else return nil 
10: Find the prime factorization of the integer N(av) 

11: Using Theorem 3.1 of Seysen [33] on the prime factorization of A'^(Ov), factor the ideal Ov over to 

obtain Ov = J^^ for some aSZ-^ 
12: Return z = a — v 



Algorithm 2 Computing j{E') 

Input: A, q, [b], and a j-invariant j{E) € Ell5,„(0/i) 
Output: The element j{E') G Ellq.„(C'zi) such that [b] * j{E) = j{E') 
1: Using Algorithm 1 with any valid choice of t, compute a relation z G such that [b] = [J-^] = 

2: Compute a sequence of isogenics (0i, . . . , 0s) such that the composition (j)^: E ^ E^ oi the sequence 

has kernel E[pl^pl^ " " 'P/^l' using the method of [7, §3] 
3: Return j(£c) 



the primes dividing qn is necessary for the computation of the isogenics in the final step of the 
algorithm. 

Algorithm 2 is correct since the ideals b and J-^ belong to the same ideal class, and thus act 
identically on Ellg^„(0/i). 

4.1 Runtime analysis 

Here we determine the theoretical running time of Algorithm 2, as well as the optimal value of 
the parameter z in Algorithm 1. As is typical for subexponential-time factorization algorithms 
involving a factor base, these two quantities depend on each other, and hence both are calculated 
simultaneously. 

Proposition 4.1 The running time of Algorithm 1 is at most L{z) + L{j^), assuming GRH. 

Proof. Step 1 of Algorithm 1 takes time L[z) [8, Lemmas 11.3.1 and 11.3.2]. Step 2 of the algorithm 
requires L{z) norm computations. Step 3 is negligible. Step 6 requires Cln|Z\| multiplications in 

the class group, each of which requires 0((ln |Z\|)-'^+^) bit operations [30]. Hence the for loop in 
Steps 4-8 has running time L{j^) ■ 0((ln )Z\))^+'^). Bernstein's algorithm [3] in Step 9 has a running 
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time of 6(log2 ft)^"*"^ where b = L{z) + L{j^) is the combined size of S and V. Finding the prime 

factorization in Step 10 costs L{z) using trial division, and Seyscn's algorithm [33, Thm. 3.1] in 
Step 11 has negligible cost under ERH (and hence GRH). Accordingly, we find that the running 
time is 

L{z) + 0((ln |Zi|)2+-) . L(^) + b{\og, bf+^ + L{z) = L{z) + L(^), 

as desired. 

Remark 4--S. If wc use quantum algorithms, then the performance boost obtained from Bernstein's 
algorithm is not necessary, since quantum computers can factor integers in polynomial time [34]. 
This allows for some simplification in Algorithm 1 in the quantum setting: there is no need to store 
elements of S (since one can test directly for smooth integers via factoring), and the algorithm no 

longer requires supcrpolynomial space. 

Proposition 4.3 Under GRH, the probability that a single iteration of the for loop of Algorithm 1 
produces an F -smooth ideal a-v is at least L{—j^). 

Proof. We adopt the notation used in Theorem 2.1 and Corollary 2.2. Apply Corollary 2.2 with the 
values m = qn, B = 3, and x = f = L{z) » (In Observe that m has at most O(logg) prime 

divisors, and 

O(logg) « i,(iz(i - £)) < i(z(i - £)) = x'/^-\ 

Therefore Corollary 2.2 applies. The ideal class [b] ■ [J^^] is equal to the ideal class obtained by 
taking the walk of length t in the Caylcy graph Cay(G', Sx), having initial vertex [b], and whose 
(xlges correspond to the nonzero coordinates of the vector v. Hence a random choice of vector v 
under the constraints of Algorithm 1 yields the same probability distribution as a random walk in 
Ca.y{G,Sx) starting from [b]. 

Let S be the set of reduced ideals in G with _L(z)-smooth norm. By [8, Lemma 11.4.4], \S\ > 
^/\A\L\^\{^,—J^) > ^y\A\L{—j^). Hence, by Corollary 2.2, the probability that hes in S is at 
least 

1151 , 1 vPT 
2 |G| - 2 |G| ^ 

Finally, Theorem 9.3.11 of [8] states that -^j^ > hijA\ - Hence the probability that av is J^-smooth 
is at least ^ ^ 

2"hr^'^^"s) = ^(-s)' 

as desired. 

Corollary 4.4 Under GRH, Algorithm 1 succeeds with probability at least 1 — ^• 

Proof. Algorithm 1 loops through t = L{j^) vectors v, and by Proposition 4.3, each such choice 
of V has an independent l/£ chance of producing a smooth ideal ttv Therefore the probability of 
success is at least 1— (l — |) >1 — ^as claimed. 

The following proposition shows that the relation vector z produced by Algorithm 1 is guaranteed 
to have small coefficients. 
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Proposition 4.5 Any vector z output by Algorithm 1 satisfies |z|i < (C + l)ln|zi|. 

Proof. Since z = a — v, we have |z|i < |a|i + |v|i. But |v|i < Cln|Z\| by construction, and the 
norm of Ov is less than ^J\A\J^ [8, Prop. 9.1.7], so 

|a|i < log2 < log2 < In \A\. 

This completes the proof. 

Finally, we analyze the running time of Algorithm 2. 

Theorem 4.6. Under GRH, Algorithm 2 succeeds with probability at least 1 — ^ and runs in time 
at most 

L{^) + max{X(3^), L{z){\nqf+'}. 

Proof. We have shown that Algorithm 1 has running time L(z) + L{j^) and success probability at 
least 1 — ^. Assuming that it succeeds, the computation of the individual isogenics (j>i in Step 2 of 
Algorithm 2 proceeds in one of two ways, depending on whether the characteristic of is large [7, 
§3.1] [17, §3] or small [7, §3.2]. The large characteristic algorithm fails when the characteristic is 
small, whereas the small characteristic algorithm succeeds in all situations, but is slightly slower in 
large characteristic. For simplicity, we consider only the latter, and more general, algorithm. 

The general algorithm proceeds in two steps. In the first step, we compute the kernel polynomial 
of the isogeny. The time to perform one such calculation is 0{{£{\nq) max(i?. In in all cases 
([26, Thm. 1] for characteristic > 5 and [14, Thm. 1] for characteristic 2 or 3). In the second step, 
we compute the equation of the isogenous curve using Velu's formulae [38] . This second step has a 
running time of 0{£'^^^ (In q)^'^'^) [21, p. 214]. Hence the running time of Step 2 is at most 

|z|i(0((£(ln(j) max(^,ln(j)2)i+^) + 0(£2+^(lng)^+^)). 

By Proposition 4.5, this expression is at most 

{C + l)(ln \A\){max{L{3z), L{z){\nqf+'} + L{2z){lnqy+') 
= max{L(30), L{z){lnqf+'}. 

The theorem follows. 

Corollary 4.7 Under GRH, Algorithm 2 has a worst-case running time of at most Lq{^, 

Proof. Using the inequality |zi| < 4g, we may rewrite Theorem 4.6 in terms of q. We obtain the 
following upper bound for the running time: 

L(^) + max{L(3^), L{z){\nqf+^] < L,{\, ^ + 3^). 
The optimal choice oi z = yields the running time bound oi Lq{^,^). 

Remark 4-8. Using our technique for eliminating heuristics, Bisson [4] has recently developed a 

subcxponential-time algorithm for determining endomorphism rings of elliptic curves, assuming 
only GRH. As part of that work, Bisson presents a faster algorithm [4, Prop. 4.4] for determining 
the curves appearing in the sequence of isogenics in Step 2 of Algorithm 2, with running time 
quadratic in the isogeny degrees, improving upon the cubic time required in prior algorithms. Using 
this algorithm, the running time of Algorithm 2 improves to Lq{^, -j=). 



Constructing elliptic curve isogenies in quantum subexponential time 



9 



Remark 4-9 ■ Our algorithm for computing the isogeny star operator readily extends to an algorithm 
for evaluating isogenics in subexponential time. As in [7,23], we specify an isogeny E E' hy 
providing the ideal b C E,nd{E) = Oa corresponding to the kernel of </>. To distinguish between 
isogenies that are identical up to isomorphism, we define a normalized isogeny [6, 7] to be one where 
(jfiwE') = We- Algorithm 2 applied to the input b yields an (imnormalized) isogeny (f)c'. E ^ 
Ec isomorphic to the desired isogeny </>. To find the normalized isogeny, we must evaluate the 
necessary isomorphism explicitly. This can be easily done by using [23, Algorithm 3, Steps 20-23] 
in conjunction with [7, Algorithm 4.1, Steps 4-6] on the relation produced by Algorithm 1. These 
additional steps are not rate-limiting, so the running time of the algorithm is unchanged. Bisson's 
improvement (Remark 4.8) does not apply here, since we need to evaluate the actual isogeny, rather 
than just find the isogenous curve. 

5 A quantum algorithm for constructing isogenies 

Our quantum algorithm for constructing isogenies uses a simple reduction to the abelian hidden shift 
problem. To define this problem, let ^ be a known finite abelian group (with the group operation 
written multiplicatively) and let /o , /i : ^ — >■ 5 be black-box functions, where S is a. known finite 
set. Wc say that /o, /i hide a shift s G ^ if /o is injective and fi{x) = fo{xs) (i.e., /i is a shifted 
version of /o). The goal of the hidden shift problem is to determine s using queries to such black-box 
functions. Note that this problem is equivalent to the hidden subgroup problem in the A-dihedral 
group, the nonabelian group A yil2 where Z2 acts on A by inversion. 

Isogeny construction is easily reduced to the hidden shift problem using the group action defined 
in Section 2. Given horizontally isogenous curves Eo,Ei with endomorphism ring Oa, we define 
functions /o, /i : CI{Oa) Ellq,n(Ozi) that hide [5] G C\{Oa), where [s] is the ideal class such that 
[s] * j{Eo) = 3 {El). Specifically, let /c([b]) = [b] * j{Ec). Then it is immediate that /o, /i hide [s]: 

Lemma 5.1. The function /o is injective and /i([b]) = /o([^'][s])- 

Proof. Since * is a group action, 

fii[b]) = [b]*j{Ei) 

= [b]*{[s]*j{Eo)) 

= {[b][B])*j{Eo) 

= /o([b]W). 

If there are distinct ideal classes [b], [b'] such that /o([b]) = /o([^''])> then [b] * j{Eo) = [b'] * j(£Jo)> 
which contradicts the fact that the action is free and transitive [39, Thm. 4.5]. Thus /o is injective. 

Note that a similar connection between isogenies and hidden shift problems was described in [36, 
Section 7.2]. However, that paper did not recognize the significance of the reduction, and in partic- 
ular did not appreciate the role played by injectivity. Without the assumption that /o is injective, 
the hidden shift problem can be as hard as the search problem, and hence requires exponentially 
many queries [2] (although for non-injective functions /o with appropriate structure, such as the 
Legendre symbol, the non-injective hidden shift problem can be solved by a quantum computer 
in polynomial time [12]). On the other hand, injectivity implies that the problem has polynomial 
quantum query complexity [13], allowing for the possibility of faster quantum algorithms. 
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This reduction allows us to apply quantum algorithms for the hidden shift problem to construct 

isogenics. The (injective) hidden shift problem can be solved in quantum subexponcntial time 
assuming we can evaluate the group action in subexponcntial time. The latter is possible due to 
Algorithm 2. 

We consider two different approaches to solving the hidden shift problem in subexponcntial time 
on a quantum computer. The first, due to Kuperberg [25], has a faster running time but requires 
superpolynomial space. The second approach generalizes an algorithm of Regev [28] . It uses only 
polynomial space, but is slower than Kuperberg's original algorithm. 

Method 1: Kuperberg's algorithm. Kuperberg's approach to the abelian hidden shift problem is 
based on the idea of performing a Clebsch-Gordan sieve on coset states. The following appears as 
Theorem 7.1 of [25]. 

Theorem 5.1. The abelian hidden shift problem has a [quantum] algorithm with time and, query 
complexity 2^'^^\ where n is the length of the output, uniformly for all finitely generated abelian 
groups. 

In our context, 20(^) 2°(Vi"l'^l) since \C\{Oa)\ = 0{VA\nA) [8, Theorem 9.3.11]. Further- 
more, i(o(l)) = L{0) regardless of the value of the implied constant in the exponent, 
since the exponent on the left has no -y/ln In \ A\ term, whereas L{0) does. As mentioned above, 
Kuperberg's algorithm also requires superpolynomial space (specifically, it uses 20(V^) qubits). 

Method 2: Regev 's algorithm. Regev [28] showed that a variant of Kuperberg's sieve leads to a 
slightly slower algorithm using only polynomial space. In particular, he proved Theorem 5.2 below 
in the case where A is a cyclic group whose order is a power of 2 (without giving an explicit value 
for the constant in the exponent). Theorem 5.2 generalizes Regev's algorithm to arbitrary finite 
abelian groups. A detailed proof of Theorem 5.2 appears in the Appendix (see Theorem A.l). 

Theorem 5.2. Let A be a finite abelian group and let functions fo, fi hide some unknown s & A. 
Then there is a quantum algorithm that finds s with time and query complexity L\a\{\-,"J^) using 
space poly (log 

We now return to the original problem of constructing isogenics. Note that to use the hidden shift 
approach, the group structure of C\{Oa) must be known. Given A, it is straightforward to compute 
Cl(0/\) using existing quantum algorithms (see the proof of Theorem 5.4). Thus, we assume for 
simplicity that the discriminant A is given as part of the input. This requirement poses no difficulty, 
since all existing proposals for isogeny-based public-key cryptosystems [10, 29, 36] stipulate that Oa 
is a maximal order, in which case its discriminant can be computed easily: simply calculate the trace 
t{E) of the curve using Schoof's algorithm [31], and factor t{E)'^ — Aq to obtain the fundamental 
discriminant A (note of course that factoring is easy on a quantum computer [34]). 

Remark 5.3. One can conceivably imagine a situation where one is asked to construct an isogeny 
between two given isogenous curves of unknown but identical endomorphism ring. Although we 
are not aware of any cryptographic applications of this scenario, it presents no essential difficulty. 
Bisson [4] has shown using Corollary 2.2 that the discriminant A of an elliptic curve can be computed 
in Lg(i, -i=) time under only GRH (assuming that factoring is easy). 
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Algorithm 3 Isogeny construction 

Input: A finite field F^, a discriminant Zi < 0, and Weierstrass equations of horizontally isogenous elliptic 

curves Eo, Ei 
Output: [s] € CI{Oa) such that [s] * j{Eo) = 
1: Decompose GI{Oa) = {[bi]) ® • • • ® ([bfc]) where |([bj])| = nj 

2: Solve the hidden shift problem defined by functions fo,fi- x ••• x — >• Ellq,„(C'zi) satisfying 

fc{xi, ...,xk) = {[bir^ ■ ■ ■ [bkr'')*j{Ec), giving some (si,...,Sfc) e Z„i x • • • x Z„^ 
3: Output [s] = [bi]"! ■ • • [bk]'" 



Assuming A is known, we decompose GI{Oa) as a direct sum of cyclic groups, with a known 
generator for each, and then solve the hidden shift problem. The overall procedure is described in 
Algorithm 3. 

Theorem 5.4. Assuming GRH, Algorithm 3 runs in time Lq{^, ^) (respectively, Lq(^, ^ + \/2)) 
using Theorem 5.1 (respectively, Theorem 5.2) to solve the hidden shift problem. 

Proof. Wo perform Step 1 using [9, Algorithm 10], which determines the structure of an abelian 
group given a generating set and a unique representation for the group elements. We represent 
the elements uniquely using reduced quadratic forms, and we use the fact that, under ERH (and 
hence GRH), the set of ideal classes of norm at most 61n^ \ A\ forms a generating set [1, p. 376]. 
By Theorem 5.1 (resp. Theorem 5.2), Step 2 uses L(o(l)) = 1/(0) (resp. L{y/2)) evaluations of the 
functions fi. By Corollary 4.7, these functions can be evaluated in time Lq{^, ^) using Algorithm 2, 
assuming GRH. Overall, Step 2 takes time Lq(|, ^ +o(l)) = ^g(|) if Theorem 5.1 is used, or 
^q{\^ ^ + V^) if Theorem 5.2 is used. The cost of Step 3 is negligible. 

Remark 5.5. Using the improved algorithm for evaluating the isogeny star operator described in 
Remark 4.8, the running time of Algorithm 3 is improved to Lq{^, A- _|_ o(l)) = Lq{^, -^) using 

Theorem 5.1 to solve the hidden shift problem (requiring supcrpolynomial space), and to Lq{^, + 

•^2) = i(j(|, using Theorem 5.2 (requiring only polynomial space). 

Remark 5.6. The running time of the algorithm is ultimately limited by two factors: the best known 
quantum algorithm for the hidden shift problem runs in superpolynomial time, and the same holds 
for the best known (classical or quantum) algorithm for computing the isogeny star operator. 
Improving only one of these results to take polynomial time would still result in a superpolynomial- 
time algorithm. 
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A Subexponential-time and polynomial-space quantum algorithm for 
the general abelian hidden shift problem 

Following Kuperberg's discovery of a subexponential-time quantum algorithm for the hidden shift 
problem in any finite abelian group A [25], Rcgcv presented a modification of Kuperberg's algorithm 
that requires only polynomial space, with a slight increase in the running time [28]. However, Regev 
only explicitly considered the case A = , and while he showed that the running time is L|^| (i, c), 
he did not determine the value of the constant c. 

In this appendix we describe a polynomial-space quantum algorithm for the general abelian 
hidden shift problem using time \/2). We use several of the same techniques employed by 

Kuperberg [25, Algorithm 5.1 and Theorem 7.1] to go beyond the case A = Z2n, adapted to work 
with a Regev-style sieve that only uses polynomial space. 

Let A = X • • • X Zjvj be a finite abelian group. Consider the hidden shift problem with 
hidden shift s = (si,...,.st) e A. By Fourier sampling, one (coherent) evaluation of the hiding 
functions /o,/i can produce the state 



IV-.) :=-^(|0)+exp 



„ . , SiXi StXt 
2Tn — h -rr- 

Ni Nt 
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with a known value x = (xi, . . . ,Xt) G-r A (see for example the proof of Theorem 7.1 in [25]), where 
X Gr a denotes that x oecurs uniformly at random from A. For simplicity, we begin by considering 
the case where A = Zjv is cyclic. Then Fourier sampling produces states 



where x Gr is known and oj := e^^^^^ . 

If we could make states I'^a,) with chosen values of x, then we could determine s. In particular, 
the following observation is attributed to Peter H0yer in [25] : 

Lemma A. 1. Given one copy each of the states [^'2), IV'4)) • • • > IV'2'=-i)) where 2^ = f2{N), 
one can reconstruct s in polynomial time with probability 

Proof. We have 



Apply the inverse quantum Fourier transform over Zjv (which runs in poly (log A^) time [24]) and 
measure in the computational basis. The Fourier transform of |s), namely J2y=o ^'^^l^)' 
overlap squared with this state of 2''/N, which implies the claim. 

We aim to produce states of the form IV'23 ) using a sieve that combines states to prepare new 
ones with more desirable labels. A basic building block is Algorithm 4, which can be used to produce 
states with smaller labels. 

Lemma A. 2. Algorithm 4 runs in time 2^ poly(log7V) and succeeds with probability ^2(1) provided 
4fc < B/B' < 2Vfc. 

Proof. The running time is dominated by the brute force calculation in Step 6 and the projection 
in Step 10, both of which can be performed in time 2^^ poly(log A?'). 

The probability of aborting in Step 2 for any one a;i is 1 — ^^[^^''J — union 
bound, the overall probability of aborting in this step is at most < 1/2. Conditioned on not 

aborting in Step 2, x, Gr {0, 1, ... , 2B'[B/2B'\ - 1}. 

Let X ■ = q(2B') + r^ where < r-^ < 2B' (q is the measurement outcome, which is 
independent of j). By the uniformity of the x^s, each r^ = x ■ y^ mod 2B' is uniformly dis- 
tributed over {0, 1, ... , 2B' — 1}. Thus the output label is x' = x ■ {y* — y*) = \r* — r*\ where 
r*,r* Gr {0, 1, ... , 2B' — 1}. A simple calculation shows that the distribution of |r* — r*| is 



Thus the probability that we abort in Steps 12-16 is 1/2, and conditioned on not aborting in these 
steps, x' Gr {0,1, . . . ,B' — 1}. Thus the algorithm is correct if it reaches Step 17. 

It remains to show that the algorithm succeeds with constant probability. We have already 
bounded the probability that we abort in Step 2 and Steps 12-16. Since y = occurs with probability 



|V.) = 4(|o)+^'1i)) 




,fc 




for Zi = 

forZiG{l,...,2B'-l}. 
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Algorithm 4 Combining states to give smaller labels 

Input: Parameters B, B' and states \'4'xi), • • • , \'4^xf.) with known x\, . . . ,Xk €r {0, 1, . . . , S — 1} 
Output: State \tpx'} with known x' £r {0, 1, . . . , B' — 1} 

1: if 3i:xi> 2S'[S/2S'J then 

2: Abort 

3: end if 

4: Introduce an ancilla register and compute 

^ ^ w<-%mx.y)/2B'i) 
j/e{o,i}'= 

where x ■ y:= Yl'^^i ^iVi 
5: Measure the ancilla register, giving an outcome q and a state 

V j = l 

where , . . . / O*' are the fe-bit strings such that [(a; • y^)/2B' \ = q 
6: Compute y^ , . . . ^y" by brute force 
7: if = 1 then 
8: Abort 
9: end if 

10: Project onto span{|j/^), \y^)} or span{|2/^), Ij/*)} or . . . or spanjly^'-''/^-'"^), Ij/^'-"^^-' )}, giving an outcome 

span{|y*), 

11: Let x' — X ■ (y* — y*) where x ■ y* > x ■ y* WLOG 

12: if a;' G {1,...,B' - 1} then 

13: Abort with probability B'/{2B' - x') 

14: else if x' £ {B' , . . . ,2B' - 1} then 

15: Abort 

16: end if 

17: Relabel \y*) i-> |0) and ly*) i-> |1), giving a state IV'x') 



and at most one state \y'^) can be unpaired (and this only happens when v is odd), the projection 
in Step 10 fails with probability at most + 2^'^ < 1/3 + o(l). We claim that the probability 
of aborting in Step 8 (i.e., the probability that v = 1) is also bounded away from 1. Call a value 
of q bad \i v = 1. Since < a; • y < k{B — 1), there arc at most kB/2B' possible values of q, and 
in particular, there can be at most kB/2B' bad values of q. Since the probability of any particular 
bad q is 1/2*^, the probability that q is bad is at most kB / B'2''^^ < 1/2. This completes the proof. 

We apply this combination procedure using the generalized sieve of Algorithm 5, which is equiv- 
alent to Regev's "pipeline of routines" [28] . 

Lemma A. 3. Suppose me"^*^ = o(l). Then Algorithm 5 is correct, succeeds with probability 1 — o(l) 
using state preparations and combination operations, and uses space 0{mk). 

Proof. If Algorithm 5 outputs a state from Sm then it is correct. Since the algorithm never stores 
more than 0{mk) states at a time, it uses space 0{mk). It remains to show that the algorithm is 
likely to succeed using only fc(i+o(i))'" state preparations and combination operations. 
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Algorithm 5 Sieving quantum states 

Input: Procedures to prepare states from a set So and to combine k states from Si-i to make a state from 

Si with probability at least p for each i € {1, . . . , m} 
Output: State from Sm 
1: repeat 

2: while for all i we have fewer than k states from Si do 
3: Make a state from So 

4: end while 

5: Combine k states from some Si to make a state from Si+i with probability at least p 
6: until there is a state from Sm 



If we could perform combinations deterministically, we would need 

1 state from Sm, 
k states from S^n-i, 
states from Sm-2, 

fc"* states from Sq. 

Since the combinations only succeed with probability p, we lower bound the probability of eventually 

producing (2fc/p)'"~* states from Si for each i E {1, . . . , m} (so in particular, we produce one state 
from Sm)- Given {2k / p)"^~^~^^ states from Si-i, the expected number of successful combinations 
is p(2fc/p)"*~'+^/A; = 2(2^/^)"*"', whereas only (2fc/p)"*~' successful combinations are needed. By 
the ChernofF bound, the probability of having fewer than (2A:/p)™~' successful combinations is at 
most e-P(2'=/P)'""' . Thus, by the union bound, the probability that the algorithm fails is at most 

m— 1 
i=l 

SO the probability of success is 1 — o(l). 

Finally, the number of states from .So is (2k/p)"^ = ^(1+0(1))™ and the total number of combi- 
nations is EIlo^(2fc/rt'""Vfc = k^^+oW)m^ 

When using the sieve, we have the freedom to choose the relationship between k and m to 
optimize the running time. Suppose that mk = (1 + o(l)) log2 N (intuitively, to cancel log2 N bits 

of the label), and also suppose that the combination operation takes time 2*^ poly(log TV) (as in 
Lemma A. 2). Then if we take k = c-^/logj N log2 log2 N, we find that the overall running time 
of Algorithm 5 is 2'=2(i+°(i))™'°S2 ^ poly(log iV) = Liv(i,c+ 2^). Choosing c = ^ gives the best 

running time, L]sr{^,\/2). 

We now consider how to apply the sieve. To use Lemma A.l, our goal is to prepare states of the 
form \tp23) for each j G {0, 1, ... , [log2 N\}. First we show how to prepare the state l-ipi) in time 
Ln{^, V2) using Algorithm 4 as the combination procedure in Algorithm 5. For i G {0, 1, . . . ,m}, 
the ith stage of the sieve produces states with labels from Si = {0,1, Bi — 1}. Lemma A. 4 
below shows that there is a choice of the Bi with Bq = N, Bm = 2, and successive ratios of the 
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BiS satisfying the conditions of Lemma A. 2, such that 2'=fc(^+°(^^^'" = Z/jvd, V^). It then follows 

that Algorithm 5 produces a uniformly random label from Sm ~ {0, 1} with constant probability 
in time Ln{^, V^), and in particular, can be used to produce a copy of in time L]^{^, v^)- 

Lemma A. 4. There is a constant Nq such that for all N > A^o, letting Bi = \_N/ where p = 

(7V/2)i/™ 



ana 



k = 



y'ilogsATlogs logsAT 



m : 



log2 N/2 







we have Bq = N, B„ 



k - log2 2k y y log2 log2 A^ ^ 

4fc < Bi_i/Bi < 2^lk for all i G {1, . . . ,m}. 



Proof. Clearly Bq = N, and the value of p is chosen so that -B„ 
For i G {1,. . ., m}, we have 



2. 



B^-l [N/p'-'\ 



< 



ip- 



p 



Bi [N/p^ -N/p'-l l-pi/N' 
Since p'/N < p'^/N = 1/2, we have Bi_i/Bi < 2p. Then using 



fe-log2 2k 

p < {N/2) i°g2 «/2 



2k 

2k 



gives Bi-i/Bi < 2^/fc as claimed. 
Similarly, we have 



Bj-i ^ lN/p^-'\ ^ N/p 
Bi ■ 



[N/pi\ 



N/pi 



p-pyN>p- 



1 

2' 



Since 



we have p — i > 4fc for sufficiently large A^. This completes the proof. 

If A" is odd, then division by 2 is an automorphism of Zat. Thus we can prepare \tp23) by 
performing the above sieve under the automorphism x 1—^ 2~^x. It follows that the abelian hidden 
shift problem in a cyclic group of odd order A' can be solved in time Lj\f{^. \/2). 

Now suppose that A^ = 2" is a power of 2. In this case, we first use a combination procedure 
that zeros out low-order bits, as described in Algorithm 6. We use the notation xS := {xz : z £ S} 
for any x G Z and S C Z. 

Lemma A. 5. Algorithm 6 runs in time 2^ poly(log A') and succeeds with probability ^2(1) provided 

k>e'-e + i. 

Proof. The proof is similar to that of Lemma A. 2. Again the running time is dominated by the 
brute force calculation in Step 3 and the projection in Step 7, both of which can be performed in 
time 2*^ poly (log Af). 
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Algorithm 6 Combining states to cancel low-order bits 

Input: Parameters 1,1' and states \'4'xi), ■ ■ ■ , \i'xk) with known xi, ■ ■ ■ ,Xk €b. 2^{0, 1, . . . ,N/2^ — 1} 
Output: State |Vx'> with known x' €r 2'^' {0, 1, ... , N/2'' - 1} 
1: Introduce an ancilla register and compute 

^ co^^--y^\y}\x-ymod2''} 
ye{o,i}'' 

2: Measure the ancilla register, giving an outcome r and a state 

where , . . . ,y" 7^ 0*^ are the fc-bit strings such that x ■ y^ mod 2* = r 
3: Compute y^ , . . . ^y" by brute force 
4: if 1/ = 1 then 
5: Abort 
6: end if 

7: Project onto s\)-di\{\y^) , \y'^)} or span{jy''), jy*)} or . . . or sp&n{\y'^^^ ^'^^ , jj/'^^"^^^ )}, giving an outcome 
span{|y*), 

8: Relabel \y*) 1-^ |0) and i-> |1), giving a state IV'x') with x' = x ■ {y* — y*) mod A'' 



We claim that the algorithm is correct if it reaches Step 8. Observe that x-y^ mod N = q^2^ +r 
where r is independent of j. Since ^ O'^, x ■ mod N 2^{0, 1, . . . , — 1}, so Sr 
{0, 1, . . . , - 1}, and hence a/ = {q" - q*)2^' mod N Gr 2'^'{0, 1, . . . , A^/2^' - 1} as required. 

The projection in Step 7 fails with probability at most 1/3 + o(l). It remains to show that the 
algorithm reaches Step 7 with probability i.e., to upper bound the probability that v = \. 

Call a value of r bad if = 1. There are 2^ ~^ possible values of r, so in particular there are at most 
2^ ~^ bad values of r. Since the probability of any particular bad r is 1/2*^, the probability that r 
is bad is at most 2^ -t-k < This completes the proof. 



Algorithm 6 is similar to the combination procedure used in [28], but differs in that the latter 
requires v = 0(1), which is established in the analysis using a second moment argument. The 
modification of pairing as many values of y as possible allows us to use a simpler analysis (with 
essentially the same performance). 

To produce a state of the form |V'2^ )> we first use Algorithm 6 to cancel low-order bits and then 
use Algorithm 4 to cancel high-order bits. Note that if all states have labels x with a common 
factor — say, 2^\x — then we can view the labels as elements of Z2n-j and apply Algorithm 4 to affect 
the n — j most significant bits. Specifically, to make the state IV'23 )) we apply Algorithm 5 using 
Algorithm 6 as the combination procedure that produces states from Si using states from Si-i 
for i S {1, . • . + 1}, and Algorithm 4 (on the n — j most significant bits) as the combination 
procedure for i e {mi + 2, . . . ,m\+ m2 + 1}, taking 



5,; 



'2(fe-i)*{o, l,...,2"-('=-i)* - 1} for i e {0,1,..., TOi} 
2-'{0, 1, . . . , Si - 1} for i e {nil + 1, . . . , mi + TO2 + 1} 
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where now 

= [2"-Vp^-"^-iJ rni = [_3/{k - 1)J 

p = 2("-J-i)/'»2 ^2 



n- 3 



k — log2 2k 



i e 



and again k = log2 N log2 log2 A^J . When making states in Si from states in Si-i for 

{1, . . . , mi}, we cancel k — 1 bits with k states, so the condition of Lemma A. 5 is satisfied. For 

i = mi + 1, wc cancel j — {k— l)mi = j ~ (k—l) [j/{k — 1)J < j — (fc — l)[j'/(fc — 1) — 1] = fc — 1 bits, 
so again the condition of Lemma A. 5 is satisfied. For i G {mi + 2, . . . , mi + m2 + 1}, Lemma A. 4 
implies that the conditions of Lemma A. 2 are satisfied provided 2"~^ > A^o- (If 2""-' < No then we 
only need to perform the first mi + 1 stages of the sieve, producing a state uniformly at random from 
Smi+i] in this case |S'mj+i| = 0(1), so 0(1) repetitions suffice to produce a copy of \ip2i)-) Finally, 
since (mi + m2 + l)k = (1 + o(l))n, the discussion following Lemma A. 3 shows that Algorithm 5 
takes time Ln{^,\/2)- 

So far we have covered the case where the group is A = Z^r with N either odd or a power of 
2. Now consider the case of a general finite abelian group A = TiNi x • • • x Zjv^. By the Chinese 
remainder theorem, we can assume without loss of generality that each Ni is cither odd or a power 
of 2. Consider what happens if we apply Algorithm 4 or Algorithm 6 to one component of a product 
of cyclic groups. Suppose we combine k states of the form of Eqn. {ip). For each i e {1, . . . , fc}, let 
G Z^Vi X • • • X denote the label of the ith state, with Xij G Z^v^. for j G {1, . . . ,t}. To address 
the £th component of A, the combination procedure prepares a state 

E expLz;^^^V,)|MEL-..2/0) 

for some function h (a quotient in Algorithm 4 or a remainder in Algorithm 6). For j ^ £, if Xij = 

for all i € {1, . . . , fc} then x'j = Yli=i ^'i.jijJi ^ vt) = Oi components that arc initially zero remain 
zero. Thus, if we can prepare states \ipx) with xi Sr Zjv^ (for any desired £ £ {1, . . .,t}) and all 
other components zero, we effectively reduce the problem to the cyclic case. 

To prepare such states, wc use a new combination procedure. Algorithm 7. Without loss of 
generality, our goal is to zero out the first t — 1 components, leaving the last one uniformly random 
from ZjVt . Algorithm 7 is similar to Algorithm 4, viewing the first t — 1 components of the label 
a;^ e ZjVi X • • • X ZjVt as the mixed-radix integer 

t-i i-i 
fJ'ixi) := ^Xij Yl Nf. 

Because we are merely trying to zero out certain components, we no longer require uniformity of 
the states output by the sieve, which simplifies the procedure and its analysis. 

Lemma A. 6. Algorithm 7 runs in time 2^ poly(log A'') and succeeds with probability /2(1) provided 
B/B' < 2^l2k. 

Proof. As in Lemma A. 2 and Lemma A. 5, the running time is dominated by the brute force calcula- 
tion in Step 3 and the projection in Step 7, both of which can be performed in time 2^ poly(log A^). 
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Algorithm 7 Combining non-cyclic states to reduce undesired components 

Input: Parameters B, B' and states \'4>xi), ■ ■ ■ , I'tpxk) with known xi, . . . ,Xk €. Zatj x • • • x Zatj satisfying 

n{xi) e {0, 1, . . . , -B — 1} for each i £ {1, . . . , fc}, with Xi,t £r Z^t 
Output: State Itpx'} with known x' € x • • • x Zjvj satisfying /Lt(x') € {0,1, . . . , B' — 1}, with x't €r Zjvj 
1: Introduce an ancilla register and compute 

^2 yeWl}" V i=lj=l / 
2: Measure the ancilla register, giving an outcome q and a state 

V j = l \ i=l j = l 3 / 

where y^, . . . ,y" ^ O'^ are the fc-bit strings such that [X)*L]^ fi{xi)yi / B' \ = q 
3: Compute j/'^, . . . , j/" by brute force 
4: if v = l then 
5: Abort 
6: end if 

7: Project onto span{|j/^), or span{|j/^), or . . . or span{|j/^'-''/^-'~^), \y'^^''^'^^)}, giving an outcome 

span{l?y*), Ij/*)} 

8: Relabel \y*) ^ |0) and ^ |1) where Ej'=i > T,i=il^i^i)yi WLOG, giving a state 

with a;^ = X;f=i Xijiyl - yj) for each j €{!,..., t} 



We claim that the algorithm is correct if it reaches Step 8. Since Y^^=i fJ'{^i)yi = qB' where 
q is independent of j and < < B', we have 



t-i 



j-l t-l k j-1 k 

„{x') = E^^- n = EE^^.^-^^'i - Vi) n =Y.n{x,){yl - yt) 

j=l j'=l j=l i=l j' = l i=l 



r* <B' 



as required. Since y* ^ y* and the Xi,f are uniformly random, x[ = X]i=i ^hiiUi ^ Vi ) is uniformly 
random as required. 

The projection in Step 7 fails with probability at most 1/3 + o(l). We claim the algorithm 
reaches Step 7 with probability i7(l). To show this, we need to upper bound the probability that 
V =\. Call a value of q bad \f v =\. Since < Yl\=i lJ-{xi)yi < ^{B — 1), there are at most kB/B' 
possible values of q, and in particular, there can be at most kB/B' bad values of q. Since the 
probability of any particular bad g is 1/2*^, the probability that q is bad is at most kB/B'2^ < 1/2. 
This completes the proof. 

To apply Algorithm 7 as the combination procedure for Algorithm 5, we require a straightforward 
variant of Lemma A. 4, as follows. 



Lemma A. 7. There is a constant Nq such that for all N > Nq, letting Bi 
ATV'" and 



[N/p'^l where p 



k = 



^Jl\og2N\og2\og2N 



m ■■ 



k — log2 4fc 



e 



l0g2 l0g2 N 
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Algorithm 8 Abelian hidden shift problem 

Input: Black box for the hidden shift problem in an abelian group A 
Output: Hidden shift s 

1: Write A = Zjvi x • • • x Zjvt where each Ni is either odd or a power of 2 

2: for alH e {1, ...,t} do 

3: if Ni is odd then 

4: foralliG{0,...,Llog2iV.J}do 

5: Apply Algorithm 5, first using Algorithm 7 to zero out all components except the ith one 

and then using Algorithm 4 under the Zjv^ -automorphism x i-¥ 2~^x to produce a copy of 
IV'(o,...,o,2J,o,...,o)) (see the proof of Theorem A.l for detailed parameters) 

6: end for 

7: else 

8: Let Ni = 2" 

9: for all J e {0, . . . , n - 1} do 

10: Apply Algorithm 5, first using Algorithm 7 to zero out all components except the ith one, then 

using Algorithm 6 to make states |V'(o,...,o,a;,o,...,o)) with 2^x, and finally using Algorithm 4 to 
produce a copy of |V'(o,...,o,23 ,o,...,o)) (see the proof of Theorem A.l for detailed parameters) 

11: end for 

12: end if 

13: Apply Lemma A.l with N = Ni to give Si 
14: end for 

15: Output s = (si, . . . , St) 



we have Bq = N, Bm = 1, and Bi^i/Bi < 2'^ /2k for all i e {1, . . . , m}. 

Proof. Clearly Bq = N, and the value of p is chosen so that Bm = 1. 
We have B^-i < N/ p™~^ = p, and since 

fc-log2 4fc 2* 
P < N '0S2« = , 

4k 

the claimed inequality holds for i = m. 
For i e {1, . . . ,m — 1}, 

_ [N/p^-^\ ^ N/p'-^ _ p 
Bi [N/p'l - N/p' - 1 l-pi/N' 

Since p'/N < p'^'^/N = 1/p, we have Bi_i/Bi < p/{l - l/p). Then using 

p = J\l^W^oS2 log2 N/ log2 N) _ VI0S2 N log2 log2 N) ^ 

we have p > 2 provided N > Nq for some constant Nq, which implies Bi-i/Bi < 2'^/2fc. This 
completes the proof. 

Combining these ideas, the overall procedure is presented in Algorithm 8. 

Theorem A.l. Algorithm 8 runs in time -\/2). 
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Proof. In Step 1, if the structure of the group is not initially known, it can be determined in 

polynomial time using [9]. Given the structure of the group, for each term Z^r wc can easily factor 
A'^ = 2"M where M is odd; then Z]v = x Zm, and we obtain a decomposition of the desired 
form. 

Now suppose without loss of generality that we are trying to determine st (i.e., i ^t\n Step 2). 
The main contribution to the running time comes from the sieves in Step 5 (for Nt odd) and Step 10 
(for Nt a power of 2). 

First suppose that Nt is odd. It suffi(x;s to handle the case where j = 0, so we are making the 
state |V'(o,...,o,i))- Then we apply Algorithm 5 with 




{x & A: ijl{x) < Bi} for i & {0,1,..., mi} 

{x G A: fi{x) = and Xt < Bi} for i G {mi + 1, . . . , 1712} 



where 



with 



f l{N/Nt)/p\\ for * e {0, 1, ... , mi} 
U^t/Pr"'] forie {mi + l,...,mi+m2} 



pi = {N/Nty/"'^ 

P2 = {Nt/2f/^- 



nil 



m2 = 



bg2^W" 

k — log2 4fc 

log2^«/2 " 
k — log2 2k 



and k = | log2 A/'log2 log2 N\ . We use Algorithm 7 as the combination procedure for the first mi 
stages of Algorithm 5. By Lemma A. 7, the condition of Lemma A. 6 is satisfied provided N/Nt > N^; 
otherwise we can produce a state with a label from Smi in only 0(1) trials. Then we proceed to 
apply Algorithm 4 as the combination procedure for the remaining m2 stages of Algorithm 5. By 
Lemma A. 4, the conditions of Lemma A. 2 are satisfied provided Nt > Nq; otherwise, producing 
states with labels from Smi already suffices to produce the desired state with constant probability. 
Since (mi + m2)fc = (1 + o(l)) log2 N, Step 5 takes time i|^|(^, \/2) (see the discussion following 
the proof of Lemma A. 3). 

Now suppose that Nt = 2" is a power of 2. Then we apply Algorithm 5 with 

'{x€ A: n{x) < Bi} 
S = < e A : /i{x) = and Xt e 2('=-i)'{0, 1, . . . , 2"-('=-i)»}} 

{xeA: n{x) = and Xt € 2^{0, 1, . . . , - 1}} 



for i G {0, 1, . . . ,mi} 

for i € {mi + 1, . . . , mi + m2} 

for i e {mi + m2 + 1, . . . , 

mi + m2 + ms + 1} 



where 

U{N/Nt)/p\\ fori €{0,1,..., mi} 

1 L2"-Vpr'"'"™'"^J for z e {mi + m2 + 1, . . . , mi + m2 + ms + 1} 



Bi 
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with 

r loga N/Nt 
k — log2 4A; 
m2 = \j/{k - 1)J 
r n — j — 1 
™^ k — log2 2k 



and again fc = [ y'i log2 N log2 log2 iVJ . Wc use Algorithm 7 as the combination procedure for the 
first mi stages, Algorithm 6 for the next m2 + l stages, and Algorithm 4 (on the n—j most significant 
bits) for the final m.j, stages. By Lemma A. 7 and Lemma A. 4, the conditions of Lemma A. 6 and 
Lemma A. 2 are satisfied, respectively. Since we cancel at most k — 1 bits in each stage that uses 
Algorithm 6, the conditions of Lemma A. 5 are satisfied for the intermediate stages. Finally, since 
(mi + m2 + ma + l)fc = (1 + o(l)) log2 N, Step 10 takes time L|^|(i, -J2). 

The loops in Step 2, Step 4, and Step 9 only introduce polynomial overhead. Step 13 takes 
polynomial time and Step 15 is negligible. Thus the overall running time is L|^|(i, ^/2) as claimed. 



pi = {N/Nt) 



l/mi 



P3 



2("-J-i)/"*3 



